CVE-2021-37704
moderate-risk
Published 2021-08-12
PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5, 7.1.2, and 8.0.7 the `phpinfo()` can be exposed if the `/vendor` is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess, etc). Only the v6, v7 and v8 will be patched respectively in 8.0.7, 7.1.2, 6.1.5. Older versions such as v5, v4 are not longer supported and will **NOT** be patched. As a workaround, protect the `/vendor` directory from public access.
Do I need to act?
!
53.1% chance of exploitation in next 30 days
EPSS score — higher than 47% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (16)
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/814
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/815
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p...
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/814
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/pull/815
Third Party Advisory
https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p...
44
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
18/34 · Moderate
Exposure
5/34 · Minimal